Skip to main content

Bootstrapper

The Bootstrapper is run as an init container that authenticates with RAD security and registers the cluster within RAD.
Helm KeyDefault Value
bootstrapper.resources.limits.cpu100m
bootstrapper.resources.limits.memory64Mi
bootstrapper.resources.requests.cpu50m
bootstrapper.resources.requests.memory32Mi

Guard

Guard is the plugin responsible for executing GuardPolicy (in the form of Rego) against a specific set of Kubernetes resources during their admission to the cluster, either allowing the admission or denying it. The resources required by this plugin are proportional to the frequency with which resources are admitted to the cluster, and the number of policies that need to be evaluated against each resource.
Helm KeyDefault Value
guard.resources.limits.cpu500m
guard.resources.limits.memory500Mi
guard.resources.requests.cpu100m
guard.resources.requests.memory100Mi

Runtime

The runtime plugin is an eBPF sensor and exporter that collects runtime events from Kubernetes cluster nodes and ships them to the RAD Security platform. This capability allows RAD to detect and respond to potential security breaches as they occur in real-time. The plugin consists of two containers. “agent” loads eBPF programs and reads the data from the eBPF ring buffer. It maintains a queue with a configurable size that can be used to reduce the CPU overhead while increasing the memory requirement. “exporter” is responsible for exporting the events received from the agent to the RAD API for analysis. It maintains a configurable number of event queues, splitting a fast stream of events received from the eBPF probes to slower streams exporting the data. The queue sizes can also be configured, potentially reducing the container’s overall CPU usage. Reducing the number of queues will also reduce the overall CPU usage. It’s important to maintain an appropriate size of the queues, i.e. if we reduce the number of the queues, we should increase their size. Note: Runtime runs as a daemonset, and will thus deploy pods on every Kubernetes node.
Helm KeyDefault Value
runtime.agent.resources.limits.cpu200m
runtime.agent.resources.limits.memory1Gi
runtime.agent.resources.requests.cpu100m
runtime.agent.resources.requests.memory128Mi
runtime.exporter.resources.limits.cpu500m
runtime.exporter.resources.limits.memory1Gi
runtime.exporter.resources.requests.cpu100m
runtime.exporter.resources.requests.memory128Mi

SBOM

SBOM is the plugin responsible for calculating SBOMs directly on the customer cluster. The plugin is run as an admission/mutating webhook, adding an image digest next to its tag if it’s missing. The image deployed is the image that RAD Security scanned. It sees all new workloads and calculates SBOMs for them. It continuously checks the RAD Security API to save time and resources to see if the SBOM is already known for any particular image digest. If not, the SBOM is generated and uploaded to RAD Security for further processing. The SBOM plugin’s resource requirements depend on the size of images that need to be analyzed, and the frequency with which they are admitted to the cluster.
Helm KeyDefault Value
sbom.resources.limits.cpu1000m
sbom.resources.limits.memory2Gi
sbom.resources.requests.cpu500m
sbom.resources.requests.memory1Gi

Sync

Sync is the plugin component synchronising Kubernetes resources to the customer cluster. Currently, only the GuardPolicy CRD is supported, but the mechanism is extensible and allows RAD Security to sync different resource types in the future. The plugin fetches resources from the RAD Security API. After executing them on the customer’s cluster, the execution statuses are reported to the RAD Security API via HTTP calls. By default, the interval between the fetches is 60 seconds.
Helm Key
sync.resources.limits.cpu200m
sync.resources.limits.memory256Mi
sync.resources.requests.cpu100m
sync.resources.requests.memory128Mi

Watch

Watch is the plugin component responsible for syncing cluster state back to RAD Security. On startup, a controller is created that follows the pattern via the to target the resource types that we are interested in individually. The first action of the service is to upload the entire inventory of the cluster. Once this inventory is up-to-date, the plugin tracks events only generated when we detect a change in the object (or resource) state. In this way, we can avoid the degradation of the API server, which would occur if we were to poll for resources. Automatic reconciliation is run every 24h by default in case any delete events are lost and prevent RAD Security from keeping track of stale objects. The resources required by the Watch plugin are driven by the size of Kubernetes manifests that are admitted to the cluster, and the frequency with which they are admitted.
Helm KeyDefault Value
watch.resources.limits.cpu250m
watch.resources.limits.memory512Mi
watch.resources.requests.cpu100m
watch.resources.requests.memory128Mi

Required Connectivity

All Rad plugins need connectivity to api.rad.security on port 443 with TCP to be able to communicate with the rad platform. If connectivity is lost, the plugins will try to reconnect. If connectivity is lost for a long period of time, it will not affect the operation of the cluster.

Supported OSes And Architectures

The RAD plugins can be used on both ARM64 and x86 architectures. The RAD Runtime plugin can run on the following OSes.
NameVersions
Amazon Linux2, 2022, 2023
CentOS6.x, 7.x, 8.x, 9.x
Container-Optimized OS81, 85, 89, 90, 93, 97, 101
Debian9, 10, 11, 12
Fedora30, 31, 32, 33, 34, 35, 36, 37, 38
Oracle Linux8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9
Red Hat Enterprise Linux7.9, 8.0, 8.1.0, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 9, 9.3
Red Hat OpenShift4.9
Red Hat OpenShift Service on AWS4.9, 4.10, 4.11, 4.12
Rocky Linux8.4, 8.5, 8.6, 8.7, 9.0, 9.1, 9.2
SUSE11.4.20, 12 SP1, 12 SP5, 15, 15 SP1, 15 SP2, 15 SP3, 15 SP4
Ubuntu14.04, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04, 21.04, 21.10, 22.04 LTS, 22.1, 23, 24

Supported K8s environments

The RAD Security Plugins supports the following Kubernetes versions, and Kubernetes Service Providers.
Kubernetes Configuration
Kubernetes Service ProviderEKS GKE AKS Openshift Rancher Kind Minikube
Kubernetes Versions1.9.x to 1.34.2

Supported Container Runtimes

The following Container Runtimes are supported with the Runtime plugin:
Container Runtime
Dockerd
Containerd
CRI-O